{"id":20810206,"url":"https://github.com/s-hamann/ansible-ldap-client","last_synced_at":"2026-05-26T05:02:11.080Z","repository":{"id":94680077,"uuid":"234693314","full_name":"s-hamann/ansible-ldap-client","owner":"s-hamann","description":"Ansible role to set up a generic proxy for LDAP clients to handle client certificates","archived":false,"fork":false,"pushed_at":"2025-12-09T19:31:21.000Z","size":14,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-27T13:31:05.556Z","etag":null,"topics":["ansible-role","client-certificate","ldap-client","stunnel","tls"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s-hamann.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-01-18T06:40:56.000Z","updated_at":"2025-12-09T19:31:24.000Z","dependencies_parsed_at":"2023-03-03T19:15:30.919Z","dependency_job_id":null,"html_url":"https://github.com/s-hamann/ansible-ldap-client","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/s-hamann/ansible-ldap-client","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s-hamann%2Fansible-ldap-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s-hamann%2Fansible-ldap-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s-hamann%2Fansible-ldap-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s-hamann%2Fansible-ldap-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s-hamann","download_url":"https://codeload.github.com/s-hamann/ansible-ldap-client/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s-hamann%2Fansible-ldap-client/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33504806,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T03:12:49.672Z","status":"ssl_error","status_checked_at":"2026-05-26T03:12:47.976Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible-role","client-certificate","ldap-client","stunnel","tls"],"created_at":"2024-11-17T20:20:57.870Z","updated_at":"2026-05-26T05:02:11.068Z","avatar_url":"https://github.com/s-hamann.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"LDAP Client\n===========\n\nThis role prepares the system to connect to an LDAP directory which requires a client certificate.\nFor this purpose, [stunnel](https://www.stunnel.org/) is set up as a local proxy which accepts unencrypted LDAP traffic and forwards it to the directory server via an encrypted connection.\nThis proxy handles the client certificate, but not binding to the directory itself.\n\nRequirements\n------------\n\nThe client certificate and matching private key need to be present on the target system.\nThis roles does not handle generating or deploying them.\n\nRole Variables\n--------------\n\n* `ldap_client_extra_groups`  \n  A list of groups that the stunnel system user is added to.\n  This allows granting access to additional resources, such as the private key file.\n  All groups need to exist on the target system; this role does not create them.\n  Empty by default.\n* `ldap_client_inaccessible_paths`  \n  If the target system uses systemd, this option takes a list of paths, that should not be accessible at all for stunnel.\n  Regardless of this option, home directories are made inaccessible and the rest of the file system is mostly read-only.\n  Optional.\n* `ldap_client_server`  \n  The LDAP server host name or IP address to proxy to.\n  The system needs to support the LDAPS protocol; STARTTLS is not sufficient.\n  Mandatory.\n* `ldap_client_trusted_ca`  \n  Path to a file containing the PEM-encoded X.509 certificate of the LDAP server's issuing CA.\n  If not set, the system's certificate store is used.\n* `ldap_client_tls_cert`  \n  Path to a PEM-encoded X.509 client certificate for stunnel to use.\n  The file needs to exist and be readable by the stunnel user.\n  Mandatory.\n* `ldap_client_tls_cert_key`  \n  Path to the PEM-encoded private key file for the certificate.\n  The file needs to exist and be readable by the stunnel user.\n  Mandatory.\n* `ldap_client_tls13_only`  \n  If set to `true` this role attempt enforcing TLSv1.3 only.\n  If the target system's OpenSSL version does not support TLSv1.3 or if `ldap_client_tls13_only` is `false`, TLSv1.2 is enforced as the minimal supported protocol version.\n  Defaults to `false`.\n\nExample Playbook\n----------------\n\n```yaml\n- hosts: servers\n  roles:\n    - role: ldap-client\n      become: true\n      ldap_client_servers:\n        - ldap.example.org\n      ldap_client_tls_cert: /etc/ssl/private/client.pem\n      ldap_client_tls_cert_key: /etc/ssl/private/client.key\n```\n\nLicense\n-------\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs-hamann%2Fansible-ldap-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs-hamann%2Fansible-ldap-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs-hamann%2Fansible-ldap-client/lists"}